docs(B5): closure trio — security + performance + business (close Milestone B5)

CLAUDE.md

@@ -4,7 +4,7 @@ This file is the entry point for Claude-based AI agents (Claude Code, Claude API
 
 ## What this project is
 
-Tyrne is a **capability-based microkernel** written in Rust, in the lineage of seL4 and Hubris. The project is **pre-alpha**, but implementation is well underway: the kernel boots end-to-end on QEMU `virt` aarch64 and runs a two-task capability-gated IPC demo. The project is **mid-Phase B** — the MMU, PMM, address-space objects, and task loader (load half) are done; the syscall ABI and first userspace task are next. Architecture is documented as Architecture Decision Records (see the [ADR index](docs/decisions/README.md)); active implementation work lives under `kernel/`, `hal/`, and `bsp-qemu-virt/`. Primary development target is QEMU `virt` on aarch64; first real hardware target is the Raspberry Pi 4.
+Tyrne is a **capability-based microkernel** written in Rust, in the lineage of seL4 and Hubris. The project is **pre-alpha**, but implementation is well underway: the kernel boots end-to-end on QEMU `virt` aarch64 and runs a two-task capability-gated IPC demo. The project is **mid-Phase B** — the MMU, PMM, address-space objects, task loader (load half), and the syscall boundary (the EL0→EL1 ABI + panic-free dispatcher) are done; the first userspace task running in EL0 is next. Architecture is documented as Architecture Decision Records (see the [ADR index](docs/decisions/README.md)); active implementation work lives under `kernel/`, `hal/`, and `bsp-qemu-virt/`. Primary development target is QEMU `virt` on aarch64; first real hardware target is the Raspberry Pi 4.
 
 See [README.md](README.md) for the public overview.
 

README.md

@@ -26,8 +26,8 @@ The kernel boots end-to-end on QEMU `virt` aarch64 today, runs a capability-gate
 | Physical Memory Manager | **Done** — bitmap allocator with zero-fill on `alloc_frame` and three-stage validation on `free_frame`. |
 | Per-task `AddressSpace` kernel object | **Done** — cap-gated `cap_create_address_space` / `cap_map` / `cap_unmap`. |
 | Task loader (load half) | **Done** — `load_image` produces a `LoadedImage` describing a populated address space for a `.rodata`-resident raw-flat blob. |
-| Syscall ABI + EL0 entry | **Next** — Phase B5; will turn `LoadedImage` into a runnable `Task`. |
-| First userspace "hello" | **Planned** — Phase B6. |
+| Syscall ABI + dispatcher | **Done** — Phase B5; `SVC` trap → panic-free dispatcher → typed `SyscallError`; five-syscall v1 set; capability-gated `console_write` (debug-gated); validated copy-from/to-user. |
+| First userspace "hello" (EL0) | **Next** — Phase B6; turns `LoadedImage` into a runnable EL0 `Task` and exercises the real EL0↔EL1 round-trip. |
 
 The active task and its current state live in [`docs/roadmap/current.md`](docs/roadmap/current.md).
 Full phase plans are under [`docs/roadmap/phases/`](docs/roadmap/phases/).

docs/analysis/reports/perf-baseline-2026-05-29-B5-closure.md

@@ -0,0 +1,96 @@
+# Boot-to-end perf baseline — 2026-05-29 — B5-closure
+
+Generated by `tools/perf-harness.sh` — multi-run aggregation of the kernel's
+`boot-to-end elapsed = X ns` emission (P10 from the [2026-05-06 Track D
+review](../reviews/code-reviews/2026-05-06-full-tree/track-d-performance.md)).
+
+## Inputs
+
+| Field | Value |
+|-------|-------|
+| Run timestamp (UTC) | `2026-05-29T13:55:53Z` |
+| Iterations requested | 20 |
+| Iterations valid | 20 |
+| Iterations failed | 0 |
+| Per-run timeout | 5 s |
+| Build profile | release |
+| Kernel ELF | `target/aarch64-unknown-none/release/tyrne-bsp-qemu-virt` |
+| Git HEAD | `afeed10` on `sec-review-b5-syscall-boundary` |
+| QEMU | `QEMU emulator version 10.2.2` |
+| Host `uname -a` | `Darwin MacBookPro.hgw.local 24.6.0 Darwin Kernel Version 24.6.0: Wed Nov  5 21:30:23 PST 2025; root:xnu-11417.140.69.705.2~1/RELEASE_X86_64 x86_64` |
+| Wall-clock (full harness run) | 102 s |
+
+## Methodology
+
+Each iteration invokes `tools/run-qemu.sh` under a per-run watchdog;
+QEMU emits the boot trace through to `tyrne: all tasks complete` plus
+the `boot-to-end elapsed = X ns` line, then halts in WFI. The watchdog
+kills the QEMU process after the per-run timeout (the kernel never
+exits on its own). The integer ns delta is parsed out of stdout.
+
+Counter source: the kernel's `now_ns()` (`hal::Timer`) reads the EL1
+virtual generic-timer counter and converts to nanoseconds via the
+cached `CNTFRQ_EL0` resolution. Under QEMU TCG the counter advances
+based on emulated instructions rather than wall-clock time, so
+variance reflects translation-cache behaviour and host scheduler
+jitter, not real hardware performance.
+
+Statistics are computed across the valid samples only. Percentile
+convention is *nearest-rank* (1-indexed; `idx = ceil(p/100 * n)`).
+Stddev is the population formula (`n` divisor) — descriptive.
+
+**Note on p99 at small `n`.** Under nearest-rank, `p99 = a[ceil(0.99 *
+n)]`; for any `n < 100` the index rounds up to `n` and `p99 == max`
+by construction. The number is reported as-computed (matching p10 /
+p50 / p90's convention) but readers should not over-read it as a
+tail-latency signal at small `n`. p99 becomes statistically
+informative when `n >= 100`.
+
+## Metric — boot-to-end elapsed (nanoseconds)
+
+| Statistic | ns | ms |
+|-----------|---:|---:|
+| min | 17,334,000 | 17.334 |
+| p10 | 17,645,008 | 17.645 |
+| p50 | 20,300,000 | 20.300 |
+| p90 | 24,706,000 | 24.706 |
+| p99 | 26,265,008 | 26.265 |
+| max | 26,265,008 | 26.265 |
+| mean | 21,065,050 | 21.065 |
+| stddev | 2,696,816 | 2.697 |
+
+## Raw samples
+
+One ns value per line, in iteration order (NOT sorted):
+
+```text
+23964992
+22780000
+22014992
+22609008
+18599008
+25636000
+17334000
+24706000
+18634000
+20300000
+22456000
+19612992
+20786000
+18138000
+17645008
+18336000
+19196992
+19168992
+23118000
+26265008
+```
+
+## Verdict
+
+Baseline only — no proposal under measurement. Cite the band above
+(p10 / p50 / p90) when comparing later changes against this snapshot.
+Single-run boot-to-end claims in PR bodies should be replaced with a
+fresh harness run when a non-trivial perf-relevant change lands; see
+[`docs/standards/infrastructure.md`](../../standards/infrastructure.md)
+§"Performance harness".